Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the agreement between TechMO LLC (“refiner-ai”, “Processor”) and the customer that accepts it (“Customer”, “Controller”) for the Customer’s use of the refiner-ai service (the “Service”), as described in the Terms of Service (the “Agreement”). It applies where refiner-ai processes personal data on the Customer’s behalf.
If there is a conflict between this DPA and the Agreement on data protection, this DPA controls.
How to accept: This DPA is incorporated into the Agreement for business/Team accounts. To request a signed copy, contact support-team@techmo.jp.
1. Definitions
Terms such as “personal data”, “processing”, “controller”, “processor”, “sub-processor”, and “data subject” have the meanings given in Applicable Data Protection Law. “Applicable Data Protection Law” means all laws applicable to the processing under this DPA, including Japan’s Act on the Protection of Personal Information (“APPI”), the EU/UK General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act as amended (“CCPA/CPRA”). “Customer Personal Data” means personal data that refiner-ai processes on the Customer’s behalf under the Agreement.
2. Roles and scope
a. For Customer Personal Data, the Customer is the controller (or is a processor acting for a third-party controller) and refiner-ai is the processor.
b. refiner-ai will process Customer Personal Data only to provide the Service and only in accordance with the Customer’s documented instructions, including as set out in this DPA, the Agreement, and the configuration and use of the Service by the Customer’s authorized users. The Agreement and the Customer’s use of the Service are the Customer’s complete and final instructions; additional instructions require written agreement.
c. refiner-ai will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law (unless prohibited from doing so).
d. The details of processing are set out in Annex 1.
3. Customer responsibilities
The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which it acquired that data. The Customer represents that it has a lawful basis and any necessary notices and consents for refiner-ai (and its sub-processors) to process Customer Personal Data as contemplated by the Agreement — including the transmission of text selected by its users to refiner-ai’s AI provider(s) for processing, and the cross-border transfer of that data described in Section 7. The Customer must not submit special-category / “special care-required” data unless expressly agreed.
4. Confidentiality
refiner-ai will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as needed to provide the Service.
5. Security
refiner-ai will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2, taking into account the state of the art, costs, and the nature and risk of the processing.
6. Sub-processors
a. Authorization. The Customer provides general authorization for refiner-ai to engage sub-processors to provide the Service. A current list of sub-processors — including refiner-ai’s AI providers, hosting provider, and payment processor — is set out in Annex 3.
b. Obligations. refiner-ai will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors’ performance.
c. Changes. refiner-ai will notify the Customer of any intended addition or replacement of a sub-processor at least 30 days in advance (for example, by email or by updating the sub-processor list), giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer objects and the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.
7. International transfers
Providing the Service involves transferring Customer Personal Data outside Japan and, where applicable, outside the EEA/UK — including to refiner-ai’s AI processing providers in the United States and to its cloud hosting, database, and authentication provider in Singapore. (Application compute is hosted in Tokyo, Japan.) The identities of the current sub-processors are provided to the Customer on request (see Annex 3).
- APPI. Where the Customer is subject to the APPI, refiner-ai will support transfers on the basis selected in the Privacy Policy — currently the data subject’s consent, with the required disclosures (destination countries, those countries’ data-protection regimes, and the recipients’ security measures). refiner-ai may in future adopt a system ensuring APPI-equivalent measures by the recipients, monitored at least annually.
- GDPR/UK. Where required, the parties will rely on the European Commission’s Standard Contractual Clauses and the UK Addendum, which are incorporated by reference and completed using the details in the Annexes. (Module and roles to be confirmed with counsel.)
8. Assistance to the Customer
Taking into account the nature of the processing, refiner-ai will provide reasonable assistance to the Customer, by appropriate technical and organizational measures and insofar as possible, to:
- respond to data subject requests to exercise their rights;
- meet security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations.
If refiner-ai receives a request directly from a data subject relating to Customer Personal Data, it will, where legally permitted, advise the data subject to contact the Customer and will not otherwise respond except on the Customer’s instructions.
9. Personal data breaches
refiner-ai will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its notification obligations. Notice of a breach is not an acknowledgment of fault or liability.
10. Audits
refiner-ai will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or its authorized auditor. refiner-ai does not currently hold third-party security certifications (such as SOC 2 or ISO 27001); it will respond to reasonable security questionnaires and provide available documentation instead. Audits are subject to reasonable notice, confidentiality obligations, a frequency of no more than once per year (absent a regulator requirement or a known breach), and the Customer’s bearing of its own costs.
11. Return and deletion
On termination of the Agreement, refiner-ai will, at the Customer’s choice, delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by law. By default, Customer Personal Data is deleted following account closure (deletion cascades across account, Context, Profile, Card, and usage records), subject to billing and usage records that we retain for up to seven (7) years as required by Japanese tax and accounting law, consistent with the Privacy Policy.
12. Liability and term
The liability of each party under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA takes effect when the Customer accepts the Agreement (or signs this DPA) and continues until refiner-ai has ceased all processing of Customer Personal Data.
13. Governing law
This DPA is governed by the law that governs the Agreement (the laws of Japan), unless Applicable Data Protection Law (or the Standard Contractual Clauses) requires otherwise.
Annex 1 — Details of processing
- Subject matter: Provision of the refiner-ai Service (AI-assisted rewriting, translation, and summarization of user-selected text, with context/profile/card storage and cross-device sync).
- Duration: For the term of the Agreement, plus any retention period stated in the Privacy Policy (up to seven years for billing/usage records).
- Nature and purpose: Processing text and account data to return refined output to authorized users and to operate, secure, and support the Service.
- Types of personal data: Account identifiers (email; optional name); the contents of text that users select for refinement, which may contain personal data about users or third parties (processed transiently and not stored in full, except a short ~10-character preview retained in usage records); context, profile, and card content that users choose to save; and usage and diagnostic data (endpoint, AI provider and model, token counts, request identifier, card type, context count).
- Categories of data subjects: The Customer’s authorized users; any individuals referenced in the text those users submit.
- Special-category data: None permitted unless separately agreed.
Annex 2 — Technical and organizational measures
refiner-ai maintains, at a minimum:
- Encryption in transit (TLS/HTTPS) for all traffic between the App, our servers, our hosting/authentication provider, and our AI providers.
- Encryption at rest via managed database and cloud infrastructure.
- Access controls — database Row-Level Security restricting each user to their own records; least-privilege handling of administrative/service credentials.
- Authentication — signed JSON Web Tokens verified against the identity provider’s published keys; internal service-to-service authentication for privileged operations.
- Application security — input length limits, restricted cross-origin access, and secure software-development practices.
- Data minimization and retention controls — full input text is not stored; self-service account and data deletion is available.
- Personnel — confidentiality obligations for those with access.
- Incident response — breach detection and notification procedures (see Section 9). (Formal runbook in progress.)
Annex 3 — Sub-processors
refiner-ai engages the following categories of sub-processors to provide the Service. The identities of the specific sub-processors in each category are provided to the Customer on request at support-team@techmo.jp, and the Customer is notified of changes under Section 6(c).
| Category | Purpose | Location |
|---|---|---|
| AI processing provider(s) | AI processing of submitted text | United States |
| Cloud hosting, database & authentication provider | Authentication, database, storage, sync | Singapore |
| Cloud infrastructure provider | Application hosting / compute | Japan (Tokyo) |
| Payment processor | Subscription billing | United States / Ireland |